package cn.xxs.filter;


import cn.utils.EscapeUtil;
import cn.constants.HttpHeaders;
import fr.opensagres.xdocreport.core.io.IOUtils;
import lombok.Getter;
import lombok.Setter;
import org.springframework.util.StringUtils;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

/**
 * 类简介:XSS过滤处理
 *
 * @Author: ShangGuan
 * @Time: 2024/05/06
 **/
@Getter
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    @Setter
    private String errorMsg = "您所访问的页面请求中有违反安全规则元素存在，拒绝访问";


    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    public XssHttpServletRequestWrapper(HttpServletRequest request, String errorMsg) {
        super(request);
        this.errorMsg = errorMsg;
    }

    // 重写获取参数进行转义
    @Override
    public String[] getParameterValues(String name) throws RuntimeException {
        String[] values = super.getParameterValues(name);
        if (values != null) {
            int length = values.length;
            String[] escapesValues = new String[length];
            for (int i = 0; i < length; i++) {
                // 防xss攻击
                if (EscapeUtil.isContainHtml(values[i])) {
                    throw new RuntimeException(errorMsg);
                }
                escapesValues[i] = values[i];
            }
            return escapesValues;
        }
        return super.getParameterValues(name);
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
        // 非json类型，直接返回
        if (!isJsonRequest()) {
            return super.getInputStream();
        }

        // 为空，直接返回
        String json = IOUtils.toString(super.getInputStream(), HttpHeaders.UTF_8);
        if (StringUtils.isEmpty(json)) {
            return super.getInputStream();
        }

        // xss过滤
        if (EscapeUtil.isContainHtml(json)) {
            throw new RuntimeException(errorMsg);
        }
        byte[] jsonBytes = json.getBytes(StandardCharsets.UTF_8);
        final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes);
        return new ServletInputStream() {
            @Override
            public boolean isFinished() {
                return true;
            }

            @Override
            public boolean isReady() {
                return true;
            }

            @Override
            public int available() {
                return jsonBytes.length;
            }

            @Override
            public void setReadListener(ReadListener readListener) {
            }

            @Override
            public int read() {
                return bis.read();
            }
        };
    }

    /**
     * 是否是Json请求
     */
    public boolean isJsonRequest() {
        String header = super.getHeader(HttpHeaders.CONTENT_TYPE);
        return StringUtils.startsWithIgnoreCase(header, "application/json");
    }
}